We are anonymous, we are legion

NETmundial - Which Governments Have Not Submitted Contributions to NETmundial?

sumandro — 2014-04-25T09:47:53Z

The map shows (in *green*) all the countries from where no government agency has submitted any contribution to NETmundial. Governments of the countries appearing in *white* have contributed to the NETmundial process.

Inter-governmental and international bodies that have submitted contributions to NETmundial -- such as OECD and UNESCO -- have not been considered while creating the above map.

To see the map of all the countries from where there have been no contributions (by any kinds of organisation) to NETmundial, click here.

The Centre for Internet and Society, Bangalore, India, is a non-profit research organization that works on policy issues relating to freedom of expression, privacy, accessibility for persons with disabilities, access to knowledge and IPR reform, and openness, and engages in academic research on digital natives and digital humanities.

The visualisations are done by Sumandro Chattapadhyay, based on data compilation and analysis by Jyoti Panday, and with data entry support from Chandrasekhar.

Built on Bootstrap by Sumandro.

All code, content and data is co-owned by the author(s) and Centre for Internet and Society, Bangalore, India, and shared under Creative Commons Attribution-ShareAlike 2.5 India license.

For more details visit https://cis-india.org/internet-governance/blog/net-mundial-which-governments-have-not-contributed-to-net-mundial

NETmundial - Which Countries Have Not Submitted Contributions to NETmundial?

sumandro — 2014-04-25T09:40:03Z

This set of analysis of the contributions submitted to NETmundial 2014 is part of the effort by the Centre for Internet and Society, Bangalore, India, to enable productive discussions of the critical internet governance issues at the meeting and elsewhere.

Created by Sumandro using Datamaps.

The map shows (in *green*) all the countries from where no contributions (by any kinds of organisation) have been submitted to NETmundial. Countries appearing in *white* are those from where contributions have been submitted.

Organisations that have indicated (in their submitted contribution) that they are either 'global' or 'international' organisations with headquarter in a specific country(ies), or a coalition of several organisations from different countries, have not been considered while making the above map. Such organisations (not considered while making this map) include African ICT/IG Stakeholders, Association for Progressive Communications, Best Bits, Just Net Coalition, OECD, etc.

To see the map of all the countries from where the respective governments have not submitted any contributions to NETmundial, click here.

The visualisations are done by Sumandro Chattapadhyay, based on data compilation and analysis by Jyoti Pandey, and with data entry suport from Chandrasekhar.

Built on Bootstrap by Sumandro

All code, content and data is co-owned by the author(s) and Centre for Internet and Society, Bangalore, India, and shared under Creative Commons Attribution-ShareAlike 2.5 India license.

For more details visit https://cis-india.org/internet-governance/blog/net-mundial-which-countries-have-not-contributed-to-net-mundial

NETmundial - Contributions by Types of Organisation

sumandro — 2014-04-25T09:57:11Z

This Sankey diagram shows all the countries/regions from where contributions have come in on the left side, and all the various types of organisations on the right side. Use the mouse cursor to hover over a country to see what proportion of the submissions from that country has come from which type of organisation, or hover over an organisation type to see what proportion of submission from such organisations have come in from which countries.

The height of the blue bars next to the country/region names and organisation types indicate at the respective proportions among all the contributions.

Certain submissions have been contributed by global organisations, such as Internet Society, ICANN and Commonwealth agencies. These submissions have been included in the 'Global' division in the above chart.

Created by Sumandro using Google Charts.
Google Terms of Use and Data Policy.
Download the data.

The visualisations are done by Sumandro Chattapadhyay, based on data compilation and analysis by Jyoti Pandey, and with data entry suport from Chandrasekhar.

For more details visit https://cis-india.org/internet-governance/blog/net-mundial-contributions-by-types-of-organisation

NETmundial - Contributions by Countries of Origin

sumandro — 2014-04-25T09:55:43Z

Created by Sumandro using Google Charts.
Google Terms of Use and Data Policy.
Download the data.

This treemap chart divides up contributions submitted to NETmundial 2014 into their countries of origin, which are also clustered into regional divisions. The size of the rectangles indicate the total number of submissions from the respective region/country.

Right click on the regions to see the division of submissions from the countries within that region. Left click to go back.

Certain submissions have been contributed by global organisations, such as Internet Society, ICANN and Commonwealth agencies. These submissions have been included in the 'Global' division in the above chart. Also, Russia has been included within Europe, and China has been included within East Asia.

The visualisations are done by Sumandro Chattapadhyay, based on data compilation and analysis by Jyoti Pandey, and with data entry suport from Chandrasekhar.

All code, content and data is co-owned by the author(s) and Centre for Internet and Society, Bangalore, India, and shared under Creative Commons Attribution-ShareAlike 2.5 India license.

For more details visit https://cis-india.org/internet-governance/blog/net-mundial-contributions-by-countries-of-origin

NETmundial - Comparing Appearance of Fifty Most Frequent Words

sumandro — 2014-04-25T09:59:13Z

Image above: Comparing Absolute Appearance of Fifty Most Frequent Words

Image above: Comparing Relative Appearance of Fifty Most Frequent Words

Created by Sumandro using R.
Download the R code.
Download the data.

These heatmaps compare the appearance of fifty most frequently appearing words (for all 187 contributions) across the contributions made by different types of organisation. Click on them to see the larger images. Hit *escape* to come back to this page.

The first heatmap shows the absolute appearance of the words -- that is the total number of times each word appears in contributions by a type of organisation.

The second heatmap shows the relative appearance of the words -- that is the ratio of the word's appearance in contribution by a type of organisation divided by total number of contributions by that type of organisation.

For more details visit https://cis-india.org/internet-governance/blog/net-mundial-comparing-appearance-of-fifty-most-frequent-words

Banking Policy Guide

Kartik Chawla — 2015-01-22T14:54:57Z

To gain a practical perspective on the existing banking practices and policies in India in this project, an empirical study of five separate and diverse banks has been conducted. The forms, policy documents, and other relevant and available documents of these banks have been analysed in this project.

These documents were obtained from the websites of the respective banks, and wherever they were lacking, from the branches of the banks themselves. Attempts were made to obtain any information required for the project that was not available on the website or in the forms from the officers of the respective banks.

The State Banks of India (hereinafter ‘SBI’), Central Bank of India (hereinafter ‘CBI’), ICICI Bank (hereinafter ‘ICICI’), IndusInd Bank (hereinafter ‘IndusInd’) and Standard Chartered Bank (hereinafter ‘SCB’) are the banks chosen for this project. As mentioned, these banks have been chosen to ensure a diverse sample pool. SBI is an Indian public multinational bank, CBI is an Indian public bank and it is not multinational, ICICI is an Indian private and multinational bank, IndusInd is an Indian private bank which isn’t multinational, and SCB is a British bank operating in India.

The forms and other documents of each of the banks have been compared against a template of twenty nine questions created from the nine principles given in Justice A.P. Shah Group of Experts’ Report on Privacy.

The two services provided by these banks that have been analysed are Opening an Account and Taking out a Personal Loan. This comparison has been done keeping in mind the obligations of the banks under the Master Circular and the KYC Norms detailed in it, Code of Conduct, and the Rules under Section 43A of the IT Act. Attempts have been made to clarify the basis of the response as much as possible. An analysis of the obligations of the banks is present below, along with an explanation of the relevance of various parts of the two services that are analysed.

Click to download:

For more details visit https://cis-india.org/internet-governance/blog/banking-policy-guide

NETmundial and Suggestions for IANA Administration

smarika — 2014-04-23T04:00:49Z

Following NTIA's announcement to give up control over critical Internet functions, the discussion on how that role should be filled has gathered steam across the Internet governance space.

This post maps the discussion across the NETmundial submissions and presents six emerging evolution scenarios related to the IANA functions:

Separation of IANA from policy/ICANN, control of IANA to a multilateral body
Separation of IANA from policy/ICANN, control of IANA to a non-multilateral body
No separation of IANA from policy/ICANN, control of IANA to a multilateral body
No separation of IANA from policy/ICANN, control of IANA to a non-multilateral body
Multiplication of TLD registries and root servers
Maintenance of status quo

I. Separation of IANA from policy/ICANN, control of IANA to a multilateral body

The proposal under this category demands for the separation of IANA function from technical policy making, and suggests that the IANA function be transferred to an intergovernmental body.

Such proposal is listed below:

Sl.No.	Proposal No.	Name of Proposal	Organization	Sector	Region	Link
1	186	The Next Best Stage for the Future of Internet Governance is Democracy	Global Geneva	Civil Society	Geneva, Switzerland	http://content.netmundial.br/contribution/the-next-best-stage-for-the-future-of-internet-governance-is-democracy/305

This proposal by Global Geneva seeks the establishment of an intergovernmental organisation called World Internet Organisation (WIO), under which IANA (which is understood to be essentially technical and concerning safety and security of the Internet would be located. WIO would additionally have a special link/status/contract with IANA to avoid unwanted interference from governments. A 75% majority at WIO would be requested to act/modify/contest an IANA decision, making it difficult for governments to go beyond reasonable and consensual demands. WIO would act in concert with World Internet Forum, under which ICANN would be located, whereby it would make policy decisions regarding gTLDs apart from its other present functions.

II. Separation of IANA from policy/ICANN, control of IANA to a non-multilateral body

There are certain proposals whereby it is proposed that IANA function should be separated from technical policy making, or ICANN, and IANA function, which is perceived to be a purely administrative one in such submissions, should be handed over to some sort of non-multilateral organisation, which take different forms in each proposal.

Most such submissions have emerged from the civil society or the technical community.

The Internet Governance Project submission envisions the creation of a DNS Authority under whose umbrella IANA would function. The DNS Authority would be separate from ICANN. This proposal has been endorsed by the submissions of InternetNZ as well as Article 19 and Best Bits. Avri Doria’s submission, along with the submission of APC, envisions the establishment of an independent IANA, separate from the technical policy function. Such independence is sought to be preceded by a transition period by a body called IANA Stewardship Group which would be constituted mostly by members from the technical community. IANA is sought to be governed via MoUs with all stakeholders, on the same lines as the MoU between ICANN and the IETF, as described in RFC2860, RFC6220. The focus of these MoUs would not be policy but will be on performance and adherence to service level agreements.

These submissions are listed below:

Sl. No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	19	Roadmap for Globalising IANA: Four Principles and a Proposal for Reform	Internet Governance Project	Civil Society	North America	http://content.netmundial.br/contribution/roadmap-for-globalizing-iana-four-principles-and-a-proposal-for-reform-a-submission-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/96
2	26	Roadmap for the Further Evolution of the Internet Governance Ecosystem- ICANN	Article 19 and Best Bits	Civil Society	Global	http://content.netmundial.br/contribution/roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem-icann/109
3	42	Content Contribution to NetMundial on the Roadmap for the Futher Evolution of the IG Ecosystem regarding the Internationalisation of the IANA Function	InternetNZ	Technical Community	New Zealand	http://content.netmundial.br/contribution/content-contribution-to-netmundial-on-the-roadmap-for-the-futher-evolution-of-the-ig-ecosystem-regarding-the-internationalisation-of-the-iana-function/130
4	60	One Possible Roadmap for IANA Evolution	Avri Doria, Independent Researcher	Other	USA	http://content.netmundial.br/contribution/one-possible-roadmap-for-iana-evolution/153
5	162	APC Proposals for the Further Evolution of the Internet Governance Ecosystem	Association for Progressive Communications (APC)	Civil Society	APC is an international organisation with its executive director's office in South Africa	http://content.netmundial.br/contribution/apc-proposals-for-the-further-evolution-of-the-internet-governance-ecosystem/280

III. No separation of IANA from policy/ICANN, control of IANA to a multilateral body

These submissions propose that the IANA function should come under a multilateral body. However they do not suggest the separation of IANA function from policymaking, or from ICANN; or they are at least silent on this latter issue. 2 such proposals come from the civil society and 2 from the government.

A list of these submissions is provided below:

Sl. No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	8	Roadmaps for Further Evolution of Internet Governance	Association for Proper Internet Governance	Civil Society	Switzerland	http://content.netmundial.br/contribution/roadmaps-for-further-evolution-of-internet-governance/65
2	45	Russian Parliament Submission to NET mundial	State Duma of the Russian Federation (Parliament of the Russia)	Government	Russian Federation	http://content.netmundial.br/contribution/themes/133
3	121	Contribution from the Islamic Republic of Iran to the Global Multiskaeholder (sic) Meeting for the Future of the Internet, 23-24 April 2014 Sao Paulo, Brazil	Cyber Space National Center, Iran	Government	Islamic Republic of Iran	http://content.netmundial.br/contribution/contribution-from-the-islamic-republic-of-iran-to-the-global-multiskaeholder-meeting-for-the-future-of-the-internet-23-24-april-2014-sao-paolo-brazil/236
4	125	Towards Reform of Global Internet Governance	The Society for Knowledge Commons	Civil Society	India and Brazil	http://content.netmundial.br/contribution/towards-reform-of-global-internet-governance/240

IV. No separation of IANA from policy/ICANN, control of IANA to a non-multilateral body

These submissions do not consider the issue of separation of IANA function from policymaking, or ICANN, or at least do not state an opinion on the separation of IANA function from ICANN. However, they do suggest that the control of IANA should be held by a non-multilateral body, and not the US Government.

Many of these submissions also suggest that the oversight of ICANN should be done by a non-multilateral body, therefore it makes sense that the IANA function is administered by a non-multilateral body, without its removal from the ICANN umbrella.

A list of such submissions is provided below:

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	46	Norwegian Contribution to the Sao Paulo Meeting	Norwegian government	Government	Norway, Europe	http://content.netmundial.br/contribution/norwegian-government/137
2	50	Contribution from the GSM Association to the Global Multistakeholder Meeting on the Future of Internet Governance	GSMA	Private Sector	Global	http://content.netmundial.br/contribution/contribution-from-the-gsm-association-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/141
3	51	Contribution of Telefonica to NETmundial	Telefonica, S.A.	Private Sector	Spain	http://content.netmundial.br/contribution/contribution-of-telefonica-to-netmundial/143
4	56	ETNO Contribution to NETmundial	ETNO [European Telecommunications Network Operators' Association]	Private Sector	Belgium	http://content.netmundial.br/contribution/etno-contribution-to-netmundial/148
5	61	French Government Submission to NETmundial	French Ministry of Foreign Affairs	Government	France	http://content.netmundial.br/contribution/french-government-submission-to-netmundial/154
6	63	Nominet Submission on Internet Governance Principles and the Roadmap	Nominet	Private Sector	UK	http://content.netmundial.br/contribution/nominet-submission-on-internet-governance-principles-and-the-roadmap/156
7	64	Submission by AHCIET to the Global Multistakeholder Meeting on the Future of Internet Governance. NETmundial	AHCIET	Private Sector	Latin America	http://content.netmundial.br/contribution/submission-by-ahciet-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance-netmundial/157
8	70	Spanish Government Contribution to the Global Multi-stakeholder Meeting on the Future of Internet Governance	Ministry of Industry, Energy and Tourism, Spain	Government	Spain	http://content.netmundial.br/contribution/multistakeholder-human-rights-stability-gac/165
9	80	Roadmap for the Further Evolution of the Internet Governance Ecosystem	European Commission	Government	Europe	http://content.netmundial.br/contribution/roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem/177
10	94	Roadmap for the Future Development of the Internet Governance Ecosystem	Ministry of Foreign Affairs of Argentina	Government	Argentina	http://content.netmundial.br/contribution/roadmap-for-the-future-development-of-the-internet-governance-ecosystem/196
11	97	Orange Contribution for NETmundial	Orange Group	Private Sector	Deputy to the Chief Regulatory Officer Orange Group	http://content.netmundial.br/contribution/orange/199
12	106	Submission on Internet Governance Principles and Roadmap for the Further Evolution of the Internet Governance Ecosystem	Kuwait Information Technology Society	Civil Society	Kuwait	http://content.netmundial.br/contribution/kuwait-information-technology-society-kits-submission-on-internet-governance-principles-and-roadmap-for-the-further-evolution-of-the-internet-governance-ecosystem/214
13	111	Content Submission by the Federal Government of Mexico	Secretara de Comunicaciones y Transportes, Mexico	Government	Mexico	http://content.netmundial.br/contribution/content-submission-by-the-federal-government-of-mexico/219
14	114	Better Understanding and Co-operation for Internet Governance Principles and Its Roadmap	Japan Internet Service Providers Association	Private Sector	Japan	http://content.netmundial.br/contribution/better-understanding-cooperation-for-internet-governance-principles-its-roadmap/222
15	116	Deutsche Telekom’s Contribution for to the Global Multistakeholder Meeting on the Future of Internet Governance	Deutsche Telekom AG	Private Sector	Germany / Europe	http://content.netmundial.br/contribution/deutsche-telekom-s-contribution-for-to-the-global-multistakeholder-meeting-on-the-future-of-internet-governance/225
16	148	NRO Contribution to NETmundial	NRO (for AFRINIC, APNIC, ARIN, LACNIC, RIPE-NCC)	Technical Community	Mauritius	http://content.netmundial.br/contribution/nro-contribution-to-netmundial/259
17	146	Evolution and Internationalisation of ICANN	CGI.br- Brazilian Internet Steering Committee	Other	Brazil	http://content.netmundial.br/contribution/evolution-and-internationalization-of-icann/263
18	176	Addressing Three Prominent “How To” Questions on the Internet Governance Ecosystem Future	Luis Magalhes, Professor at IST of University of Lisbon, Portugal; Panelist of ICANN’s Strategy Panel on the Role in the Internet Governance System	Academia	Portugal	http://content.netmundial.br/contribution/addressing-three-prominent-how-to-questions-on-the-internet-governance-ecosystem-future/294
19	183	NETmundial Content Submission- endorsed by NIC Mexico	NIC Mexico	Technical Community	Mexico	http://content.netmundial.br/contribution/netmundial-content-submission-endorsed-by-nic-mexico/302

V. Multiplication of TLD registries and Root Servers

These submissions are based on the assumption that reform in the current ICANN/IANA administrative structure is impossible as the US government is unlikely to give up its oversight role over both. Instead, these submissions suggest that multiple TLD registries and root servers should be created as alternatives to today’s IANA/ICANN so that a healthy market competition can be fostered in this area, rather than fostering monopoly of IANA.

A list of such submissions is provided below:

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	41	Internet Governance: What Next?	EUROLINC	Civil Society	France, Europe	http://content.netmundial.br/contribution/internet-governance-what-next/129
2	175	The Intergovernance of the InterPLUS	INTLNET	Civil Society	France	http://content.netmundial.br/contribution/the-intergovernance-of-the-interplus/293

VI. Maintenance of status quo

These submissions are based on the “if it ain’t broke, don’t fix it” principle, and are of the opinion that there is no need to change the administration of IANA function as it functions efficiently in the current system.

A list of such submissions is provided below:

Sl.No.	Proposal No.	Name of Proposal	Organisation	Sector	Region	Link
1	12	United Kingdom Government Submission	Department For Culture Media and Sport, United Kingdom Government	Government	Government	http://content.netmundial.br/contribution/united-kingdom-government-submission/79
2	133	Perspectives from the Domain Name Association	Domain Name Association	Private Sector	Private Sector	http://content.netmundial.br/contribution/perspectives-from-the-domain-name-association/249

Read more on ICANN/IANA: Role and Structural Considerations (PDF Document, 1215 Kb)

For more details visit https://cis-india.org/internet-governance/blog/net-mundial-and-suggestions-for-iana-administration

Principles for Internet Governance: NETmundial 2014 — What do the Contributions Reveal?

geetha — 2014-04-23T04:01:21Z

The Global Multi-stakeholder Meeting on the Future of Internet Governance (NETmundial) is scheduled for April 23-24, 2014. Towards its stated end of establishing "strategic guidelines related to the use and development of the Internet in the world", NETmundial sought contributions from stakeholders around the world on two topics: (1) Set of Internet governance principles; (2) Roadmaps for the further evolution of the Internet governance system.

This post analyses the contributions of the academic community to draw out broad agreements and divergences concerning Internet governance principles.

I. Introduction

In two days, a large measure of the global Internet community – governments, the private sector, civil society, technical community and academia – gather in São Paulo, Brazil, for the Global Multi-stakeholder Meeting on the Future of Internet Governance. The NETmundial (April 23-24, 2014), touted as the World Cup of Internet governance, is a global conference convened and supported by the Brazilian president, Dilma Rousseff, and organized by the Brazilian Internet Steering Committee (CGI.br) and /1Net, a forum comprising various stakeholders involved and interested in Internet governance. It hopes, importantly, “to establish strategic guidelines related to the use and development of the Internet in the world”. To this end, it sought open-ended Contributions from interested stakeholders on the topics, “Set of Internet governance principles” and “Roadmaps for the further evolution of the Internet governance system”. The agenda for NETmundial may be found here.

To fully utilize the 2 short days available, knowledge of the stakeholder positions, especially their broad agreements and divergences on the two topics, is of immense help. Through a series of posts, I analyse the contributions to NETmundial on the question of Internet governance principles, seeking to dig deep into definitions and interpretations of suggested principles, such as management of Critical Internet Resources (such as the Domain Name System), human rights including freedom of expression and privacy, cyber-security, inclusiveness and participation in Internet governance, etc. In separate posts, I shall analyse contributions of each sector (governments, the private sector, civil society, technical community, academia and ‘Other’) and finally, present an overall analysis of the contributions pitted against the Draft Outcome Document, which is presently under discussion.

II. The Contributions

The NETmundial has received 187 contributions from 46 countries. Sector break-ups are given below:

Sector	Number of Contributions (187)
Academia	20
Governments	28
Private Sector	43
Civil Society	61
Technical Community	16
‘Other’ (such as UNESCO, the European Commission, etc.)	19

A quick look at the contributors indicates that contributions are primarily from North America, Europe, South and East Asia, and South America. No or very few contributions were made from large parts of Africa and South East Asia, Central and West Asia, Eastern Europe and Western South America. We present a graphical representation of contributing countries here.

Of the contributions, stakeholders from various sectors contributed to the two topics listed above in the following manner:

Sector	Set of Internet Governance Principles	Roadmaps for Further Evolution of the Internet Governance System	Combined: Internet Governance Principles & Roadmaps
Academia	7	7	6
Government	7	4	17
Private Sector	11	3	29
Civil Society	25	21	15
Technical Community	8	5	3
‘Other’	7	4	8

Despite the above classification, I focus on all 187 contributions for analysis. This is as some contributions expressly set out principles while others do not. Therefore, eliciting and analyzing principles from stakeholder contributions has involved a certain amount of subjective maneuvering. However, such elicitation has been restricted on the following bases:

The contribution is externally categorized as falling under either “Set of Internet governance principles” or “Combined – Internet governance principles & Roadmaps”.
Internally, the document places principles under rubrics of ‘Internet governance principles’.
Internally, the document makes references to Internet governance principles before setting out (without rubrics) principles.

With this caveat, I go on to discuss the NETmundial contributions from the academic community to Internet governance principles.

Part I: Academia

Of the academic contributions, the main contributors are Africa (Kenya – 1, Sudan – 3), Europe (Germany – 1, Poland – 1, Portugal – 1, Russia – 2, Ukraine – 1), South America (Argentina – 1, Brazil – 3) and the United States (8). No Asian country has made an academic contribution, and as evident from above, academia is geographically severely under-represented. Furthermore, only 4 out of 20 contributions expressly set out Internet governance principles. These four are:

Semantics aside, certain broad, high-level consensus emerges within the academic community. On substantive principles of governance on the Internet, the greatest support is found for freedom of express and access to information, with 6 contributions emphasizing this. Equally important is Internet universality and non-discriminatory (3 contributions), universal access to the Internet (6). Protection of privacy and permissible levels of surveillance come a close second, with 5 contributions referring to these. Cyber-security (5), respect for human rights (4) and support for net neutrality (3) and cultural and linguistic diversity on the Internet (3) also emerge as issues of concern for the academic community. The UNESCO and academics from Sudan emphasize training and education to use the Internet. Inter-operability (2) and a single, unfragmented Internet (2) also find a place in the academic community’s contributions.

With regard to processual principles for Internet governance, inclusiveness and participation are the most important concerns (5). The academic community asks for an open, transparent and multi-stakeholder Internet governance system (4), calling for international cooperation (2) among governments and other stakeholders. Interestingly, one contribution requires that the role of governments in the multi-stakeholder model be limited to “the facilitation of the participation of their domestic stakeholder communities in Internet governance processes”, while a Brazilian contribution advocates a multilateral model.

While no contribution expressly calls for these principles to underscore global Internet governance, the author believes that a high-level consensus may be gleaned in favour of respect for and protection of human rights, especially freedom of expression, access to information, privacy and protection from unwarranted domestic or extraterritorial surveillance. This is further supported by cyber-security concerns. The call for universal access to the Internet, alongside mention of net neutrality, emphasizes inclusiveness and non-discrimination. Processually as well, inclusiveness and participation (including equal participation) of all stakeholders finds the largest support, reflected in the calls for multi-stakeholder models of Internet governance.

No glaring divergences exist with regard to human rights or principles of governance on the Internet. The only major divergence amongst academia is the call for multilateral or multi-stakeholder models of Internet governance. While a majority of the contributions call for multi-stakeholder models, the Brazilian contribution (linked above) calls for “Open, multilateral and democratic governance, carried out with transparency by stimulating collective creativity and the participation of society, Governments and the private sector”, while at the same time supporting a “real multi-stakeholder governance model for the Internet based on the full involvement of all relevant actors and organizations”. Indeed, even this divergence is marked by a common emphasis on open, transparent and inclusive participation in Internet governance.

For more details visit https://cis-india.org/internet-governance/blog/principles-of-internet-governance-net-mundial-2014

6th Biannual Surveillance and Society Conference

praskrishna — 2014-05-05T04:57:59Z

Malavika Jayaram is a speaker at the conference organized by Eticas Research and Consulting at the University of Barcelona and CCCB from April 24 to 26, 2014.

Malavika will present on the UID and biometrics at the session on “Surveillance: Ambiguities and Uncertainties". Malavika's talk title is "Biometrics in beta: experimenting on a nation (while normalising surveillance for 1.2 billion people)" and is being held on April 26. See the full event details on this page.

In the developing world, privacy is often portrayed as a luxury, as something alien to local culture and of interest only to the elite. This ignores the probability of the most marginalized sections of a society being disproportionately impacted by privacy intrusive technologies. The hype about ‘big data’, ‘open data’, ‘data for development’, ‘ICT4D’ and other buzzwords often ignores the fact that the global south is particularly vulnerable to data collection and processing. Literacy issues (lingual and technical), a massive digital divide, desperate socioeconomic conditions and the lack of a robust data protection law render ideas of consent or tradeoffs all but meaningless.

Techno-utopian welfare schemes present technology as progressive, neutral and frictionless – a seductive and compelling narrative in a region wracked by inequalities, corruption, lack of transparency and structural violence. This vision underpins the world’s largest biometric ID project, which has already registered the irises and fingerprints of 540 million people without even being completed. Yet the assumption that bodies can be rendered into infallible verifiers, as repositories of unchanging truth, ignores embedded biases and normative baselines within such technologies. Welfare projects are further complicated when they are architected as public-private partnerships: the collusion of governmental and corporate agendas in creating massive databases and profiles, in a manner that transforms the citizen-state relationship in profound ways, has sweeping implications for choice, autonomy, anonymity and ultimately, democracy. This is true even when the systems function as intended, without mechanical failure, data breaches, or other consequences of trading privacy for convenience, welfare and security.

I would like to discuss the risks of using technologies such as biometrics to solve socioeconomic problems, and their potential for excluding the very demographics that they seek to include. I intend to locate my presentation in the context of India’s growing surveillance state, which deliberately intends to use the unique identification number to link disparate databases. I propose to describe the new Centralised Monitoring System, the relative legal vacuum in which data is mined and harvested, and the shaky constitutional foundations on which many of these new regimes stand. In so doing, I will effectively have provided a tour of India’s Rogue’s Gallery of recent incursions into the zone of privacy, free speech, informational self-determination and dignity. I hope also to redress in some small measure the largely western focus of academic and policy debates in this field, despite the risks of developing countries seeking to commoditize and export identity schemes, normalize censorship or opportunistically benefit from the west no longer having the moral ground to resist third country surveillance practices.

For more details visit https://cis-india.org/news/ssn-2014-sixth-biannual-surveillance-and-society-conference

South African Protection of Personal Information Act, 2013

divij — 2014-05-05T06:59:51Z

As the rapid spread of technology in developing countries allows exponentially increasing availability of and access to personal data through automatic data processing, governments are beginning to recognize the necessity to evolve policies addressing data security and privacy concerns.

The source of pressure for strict legal regulations addressing data protection are both the growing recognition of the importance of privacy rights, as well as the risk of falling behind on international standards on data protection, which would hamper the potential of developing countries as destinations for outsourcing industries which depend largely on processing of information.[1] The Protection of Personal Information Act enacted by South Africa is an example of a policy which enables a comprehensive framework for data security and privacy and is a model for other developing nations which are weighing the costs and benefits of establishing a secure data protection regime.

The South African law traces the right to protection of personal information back to Section 14 of the South African Constitution, which provides for a right against the unlawful collection, retention, dissemination and use of personal information. The law establishes strict restrictions and regulations on the processing of personal information, which includes information including relating to race, gender, sexual orientation, medical information, biometric information and personal opinion. The processing of personal information under the Act must comply with 8 principles, namely - accountability, lawful purpose for processing and processing limitation, purpose specification, information quality, openness and notice of collection, openness, reasonable security safeguards and subject participation, in line with the international standards for fair information practices.[2] The Act also recognizes ‘special personal information’, including religious or political beliefs, race, sexual orientation and trade union membership, as well as any personal information of children below the age of 18, which require stricter safeguards for processing,. Similar to the draft Indian legislation on privacy, the Act contemplates an independent regulatory mechanism, the information regulator, which would have all the necessary powers to effectively monitor compliance under the Act, including the power for punishing offences under the Act.

The Protection of Personal Information Act contains 115 Sections and is meant to be an exhaustive and heavily detailed policy to bring South Africa’s laws in line with EU and international regulations on data protection.[3] Though such progressive policies should be a model for policy changes in other developing nations, one aspect in which the law fails is to address increasing privacy concerns arising from widespread government-enabled surveillance and data retention. The POPI excludes from its application the processing of information related to national security, terrorist related activities and public safety, combating of money laundering, investigation of proof of offences, the prosecution of offenders, execution of sentences or other security measures, subject to adequate safeguards being established by the legislature for protection of personal information. Unfortunately, the ambiguous wording of the exclusions, especially in determining “adequate safeguards”, leaves its interpretation and application open for governments to engage in mass surveillance in the name of public security. Over the past few years, governments have taken to using technology and information, particularly through mass surveillance, to collect comprehensive information on their citizens and violate their liberties and privacy. In India, particularly with programs like the Central Monitoring System being implemented, any policy which purportedly aims at the protection of privacy must not only seek bare minimal compliances with the current international standards for data protection, but should also address the mass, unrestricted surveillance and data retention which is taking place in the name of public security.

Developing nations like South Africa and India face significant challenges in ensuring individual privacy, particularly the lack of sufficient legal safeguards for the protection of privacy. The right to privacy is often dismissed as an elitist or western concept, which does not have value in the context of developing nations, without engaging with the realities and the nuances of the right. Further, the costs of expensive technical safeguards means private and public bodies are required to spend significant resources in maintaining data security and these factors often outweigh privacy considerations in policy debates. The South African Act, hence, serves both as an important model for legislation and as an indication that the right to privacy is valuable to recognize in developing countries as well.

[1]. Article 25 of the European Union Directive on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of such data (Directive 95/46/EC) prohibits the transfer of data to non-member states which do not comply with adequate data protection norms.

[2]. http://oecdprivacy.org/

[3]. Link to Act: www.gov.za/documents/download.php?f=204368

For more details visit https://cis-india.org/internet-governance/blog/south-african-protection-personal-information-act-2013

Privacy Law in India: A Muddled Field - I

bhairav — 2014-05-05T06:17:06Z

The absence of a statute expressing the legislative will of a democracy to forge a common understanding of privacy is a matter of concern, says BHAIRAV ACHARYA in the first of a two part series.

The article was published in the Hoot on April 15, 2014.

Privacy evades definition and for this reason sits uneasily with law. The multiplicity of everyday privacy claims and transgressions by ordinary people, and the diversity of situations in which these occur, confuse any attempt to create a common meaning of privacy to inform law. Instead, privacy is negotiated contextually, and the circumstances that permit a privacy claim in one situation might form the basis for its transgression in another.

It is easy to understand privacy when it is claimed in relation to the body; it is beyond argument that every person has a right to privacy in relation to their bodies, especially intimate areas. It is also accepted that homes and private property secure to their owners a high degree of territorial privacy. But what of privacy from intrusive stares, or even from camera surveillance, when in a public place? Or of biometric privacy to protect against surreptitious fingerprint capturing or DNA collection from the things we touch and the places we visit every day? Or the privacy of a conversation in a restaurant from other patrons? Clearly, there are multiple meanings of privacy that are negotiated by individuals all the time.

Law has, where social custom has demanded, clothed some aspects of human activity with an expectation of privacy. In relation to bodily privacy, this is achieved by both ordinary common law without reference to privacy at all, such as the offences of battery and rape; and, by special criminal law that is premised on an expectation of privacy, such as the discredited offences regarding women’s modesty in sections 354 and 509 of the Indian Penal Code, 1860 (IPC), and the new offences of voyeurism and stalking contained in sections 354C and 354D of the IPC.

The law also privileges communications that are made through telephones, letters, and emails by regulating the manner of their interception in special circumstances. Conditional interception provisions with procedural safeguards – which, for several reasons, are flawed and ineffective – exist to protect the privacy of such communications in section 5(2) of the Indian Telegraph Act, 1885, section 26 of the Indian Post Office Act, 1898, and section 69 of the Information Technology Act, 2000.

Territorial privacy, which is afforded by possession of private property, is ordinarily protected by the broad offence of trespass – in India, these are the offences of criminal trespass, house trespass, and lurking house-trespass contained in sections 441 to 443 of the IPC – and house-breaking, which is akin to the offence of breaking and entering in other jurisdictions, in section 445 of the IPC.

Some measure of protection is provided to biometric information, such as fingerprints and DNA, by limiting their lawful collection by the state: sections 53, 53A, and 54 of the Code of Criminal Procedure, 1973 permit collections of biometric information from arrestees in certain circumstances; this is in addition to a colonial-era collection regime created by the Identification of Prisoners Act, 1920. However, nothing expressly prohibits the police or anybody else from non-consensually developing DNA profiles from human material that is routinely left behind by our bodies, for instance, saliva on restaurant cutlery or hair at the barbershop.

Physical surveillance, by which a person is visually monitored to invade locational privacy, is also inadequately regulated. Besides man-on-woman stalking, which was criminalised only one year ago, no effective measures exist to otherwise protect locational privacy. Indian courts regularly employ their injunctive power but have been loath to issue equitable remedies such as restraining orders to secure privacy. Police surveillance, which is usually covert, is an executive function that is practised with wide latitude under every state police statute and government-issued rules and regulations thereunder with little or no oversight. The risk of misuse of these powers is compounded by the increasingly widespread use of surveillance cameras sans regulation.

Other technologies too compromise privacy: GPS-enabled mobile phones offer precise locational information, presumably consensually; cell-tower tracking, almost always non-consensually, is ordered by Indian police without any procedurally built-in safeguards; radio frequency identification to locate vehicles is sought to be made mandatory; and, satellite-based surveillance is available to intelligence agencies, none of which are registered or regulated unlike in other liberal democracies.

No uniform privacy standard in law

None of these laws applies a uniform privacy standard nor are they measured against a commonly understood meaning of privacy. The lack of a statutory definition is not the issue; the lack of a statute that expresses the legislative will of a democracy to forge a common understanding of privacy to inform all kinds of human activity is the concern. Ironically, the impetus to draft a privacy law has come from abroad. Foreign senders of personal information – credit card data, home addresses, phone numbers, and the like – to India’s information technology and outsourcing industry demand institutionalised protection for their privacy.

Pressure from the European Union, which has the world’s strongest information privacy standards and with which India is currently negotiating a free trade agreement, to enact a data protection regime to address privacy has not gone unanswered. The Indian government – specifically, the Department of Personnel and Training, the same department that administers the Right to Information Act, 2005 – is currently drafting a privacy law to govern data protection and surveillance. At stake is the continued growth of India’s information technology and outsourcing sectors that receive significant amounts of European personal data for processing, which drives national exports and gross domestic product.

An inferred right

For its part, the Supreme Court has examined more than a few privacy claims to find, intermittently and unconvincingly, that there is a constitutional right to privacy, but the contours of this right remain vague. In 1962, the Supreme Court rejected the existence of a privacy right in Kharak Singh’s case which dealt with intrusive physical surveillance by the police.

The court was not unanimous; the majority of judges expressly rejected the notion of locational privacy while declaring that privacy was not a constituent of personal liberty, a lone dissenting judge found the opposite to be true and, furthermore, held that surveillance had a chilling effect on freedom. In 1975, in the Gobind case that presented substantially similar facts, the Supreme Court leaned towards, but held short of, recognising a right to privacy. It did find that privacy flowed from personal autonomy, which bears the influence of American jurisprudence, but subjected it to the interests of government; the latter prevailed.

However, in the PUCL case of 1997 that challenged inadequately regulated wiretaps, the Supreme Court declared that phone conversations were protected by a fundamental right to privacy that flowed from Article 21 of the Indian Constitution. To intrude upon this right, the court said, a law was necessary that is just, fair, and reasonable. If this principle were to be extended beyond communications privacy to, say, identity cards, the Aadhar project, which is being implemented without the sanction of an Act of Parliament, would be judicially stopped.

But what does “law” mean? Is it only the law of our Constitution and courts? What of the law that governed Indian societies before European colonisation brought the word ‘privacy’ to our legal system? Classical Hindu law – distinct from colonial and post-independence Hindu law – also recognises and enforces expectations of privacy in different contexts. It recognised the sanctity of the home and family, the autonomy of the community, and prescribed penalties for those who breached these norms. So, too, does Islamic law: all schools of Islamic jurisprudence – ‘fiqh’ – recognise privacy as an enforceable right.

Different words and concepts are used to secure this right, and these words have meanings and connotations of their own. But, the hermeneutics of privacy notwithstanding, this belies the common view that privacy is not an Indian value. Privacy may or may not be a cultural norm, but it has existed in India and South Asia in different forms for millennia.

Bhairav Acharya is a constitutional lawyer practising in the Supreme Court of India. He advises the Centre for Internet & Society, Bangalore, on privacy law and other constitutional issues.

For more details visit https://cis-india.org/internet-governance/blog/the-hoot-bhairav-acharya-april-15-2014-privacy-law-in-india-a-muddled-field-1

Very Big Brother

sunil — 2014-04-14T11:39:09Z

The Centre for Internet and Society, the organization I work for, currently serves on a committee established by the Government of India's Department of Biotechnology, Ministry of Science and Technology in January 2013. The committee has been charged with preparing a report on the draft Human DNA Profiling Bill.

The article was originally published in GeneWatch (January - April 2014) issue.

Why should an organization that focuses on the Internet be invited to such a committee? There are some obvious reasons related to data protection and big data. CIS had previously served on the Justice AP Shah committee that was tasked by the Planning Commission to make recommendations on the draft Privacy Bill in 2012. There are also some less obvious connections, such as academic research into cyborgs wherein the distinction between human and machine/technology is blurred; where an insulin pump makes one realize that the Internet of Things could include the Internet of Body Parts. But for this note I will focus on biometrics - quantifiable data related to individual human characteristics - and their gate-keeping function on the Internet.

The bouquet of biometric options available to technologists is steadily expanding - fingerprint, palm print, face recognition, DNA, iris, retina, scent, typing rhythm, gait, and voice. Biometrics could be used as authentication or identification to ensure security and privacy. However, biometrics are different from other types of authentication and identification factors in three important ways that have implications for human rights in information societies and the Internet.

Firstly, biometrics allow for non-consensual authentication and identification. Newer, more advanced and more expensive biometric technologies usually violate human rights more extensively and intensively than older, more rudimentary and inexpensive biometrics. For example, it is possible to remotely harvest iris information when a person is wide awake without even being aware that their identification or authentication factors have been compromised. It isn't difficult to imagine ways to harvest someone's fingerprints and palm prints without their knowledge, and you cannot prevent a security camera from capturing your gait. You could use specialized software like Tor to surf the World Wide Web anonymously and cover your digital tracks, but it is much harder to leave no trail of DNA material in the real world.

Secondly, biometrics rely on probabilistic matching rather than discrete matching - unlike, for example, a password that you use on a social media platform. In the 2007 draft of India's current Human DNA Profiling Bill, the preamble said "the Deoxyribose Nucleic Acid (DNA) analysis of body substances is a powerful technology that makes it possible to determine whether the source of origin of one body substance is identical to that of another, and further to establish the biological relationship, if any, between two individuals, living or dead, without any doubt." This extract from the bill was quoted in an ongoing court case to use tampered chain of custody for DNA as the means to seek exoneration of the accused. And the scientists on the committee insist that the DNA Data Bank Manager "...shall communicate, for the purposes of the investigation or prosecution in a criminal offence, the following information to a court, tribunal, law enforcement agency ... as to whether the DNA profile received is already contained in the Data Bank" - in other words, a "yes" or "no" answer. This is indeed odd for those who come from the world of Internet policy - especially when one DNA lab worker confidentially shared that after a DNA profile was generated the "standard operating procedure" included checking it against the DNA profile of the lab worker to ensure that there was no contamination during the process of generating the profile. This would not be necessary for older forms of biometrics such as the process of developing a photograph. In other words, chain of custody issues with every generation of biometric technology are getting more and more complex. In the developing world, the disillusioned want to believe that "technology is the solution." The fallibility of technology must determine its evidentiary status.

Finally, biometrics are only machine-scrutable. This means machines and not human beings will determine whether you are guilty or innocent; whether you should get subsidized medicine, grain, or fuel; whether you can connect to the Internet via mobile phone, cybercafe or broadband. DNA evidence is not directly observable by judges and therefore the technology and equipment have to be made increasingly transparent so that ordinary citizens as well as the scientific community can audit their effectiveness. In 2009, the Second District Court of Appeal and Circuit Court in Florida upheld a 2005 ruling requiring CMI Inc, the manufacturer of Intoxilyzer 5000, to release source code, failing which evidence from the breathalyzer would be rendered inadmissible in more than 100 drunk driving cases. If the transparency of machines is important when prosecuting misdemeanors then surely this is something we must advocate for when culpability for serious crimes is determined through DNA evidence and other types of biometric technologies. This could be accomplished by the triad of mandates for free/open source software, open standards and open hardware. This is not necessary for all DNA technology and equipment that is used in the market, but only for a small sub-set of these technologies that impinge on our rights as human beings via law enforcement and the judicial system.

It has been nine years since India started the process of drafting this bill. We hope that the delays will only result in a robust law that upholds human rights, justice and scientific progress.

Sunil Abraham is Executive Director of the Centre for Internet and Society, based in Bangalore, India.

For more details visit https://cis-india.org/internet-governance/blog/council-for-responsible-genetics-april-2014-sunil-abraham-very-big-brother

Lok sabha polls: Social media companies launch special pages for polls

praskrishna — 2014-04-14T11:28:54Z

Internet and social media giants such as Google and Facebook have launched special campaigns, pages and services around the Indian Lok Sabha elections to make the most of the world's largest democratic exercise that kicked off on Monday.

The article by Varuni Khosla was published in the Economic Times on April 10, 2014. Sunil Abraham is quoted.

Big and small social media companies are looking to use the poll fever to augment their businesses by wooing new users and generating more traffic.

Google, for example, recently launched an election page along with a Google Hangout series and a 'Pledge to Vote' and 'Know Your Candidates' campaign that featured 97-year-old Shyam Saran Negi from Himachal Pradesh who has voted in every election in Independent India. Twitter has come up with a 'Discover' section of curated tweets while Facebook has launched an election trackers as well as a 'Facebook Talks' page.

Indian social platform Vebbler has unveiled 'Ungli' campaign while telecom operator MTS has tied up with Social Samosa for an election tracker.

"While in the short run it may just be a branding exercise, in the long run it could result in more sign-ups and convert into a wider user base for these companies," said Bhupendra Khanal, CEO and co-founder at social business intelligence company Simplify360.

"But it also shows how important India is as a market for these companies — that they are looking at generating information beyond short-term revenues," he added. Khanal said the most popular hashtags with mentions in last 30 days are #Elections2014, which got 46,000 mentions, and #Election2014:, with 36,000 mentions.

This shows that social media users are following and discussing the elections and candidates constantly. Raheel Khursheed, head of news, politics and government at Twitter India, said election candidates across political parties are using Twitter platform to break news, answer questions and post 'selfies'.

"This page lets voters see all the official Twitter feeds from political parties and candidates and will let voters make an informed choice before they go and vote," he said.

Sunil Abraham, executive director at non-profit charitable organisation Centre for Internet and Society, said social media companies are looking at earning close to 10% of the entire media spend by political parties.

"When they have election related features on their site, they can tell their advertisers (political parties) that they are a serious platform that talks politics," he said. "Also, when a user clicks on these ads that are being put up by parties, social media companies are able to gain granular information about the user's likes and dislikes and therefore figure out how to advertise to them in the future," Abraham added.

These make it doubly attractive for social media companies to have such services.

Also, experts say that it doesn't cost much at all to set up these special pages and launch campaigns. "Spends on these campaigns could cost social media companies just about Rs 10-20 lakh - including making videos and setting up pages," a social media agency head said.

This person said that about 60 million people have been discussing Indian Elections on social media, even though there are just about 40 million Twitter users in India. "So, a lot of interest has been taken in the elections from other countries," the person added.

Close to 65% of India's population is under the age of 35 and more and more young people in the country are using social media.

The Internet and Mobile Association of India (IMAI) estimates that a well-executed social media campaign can swing 3%–4% of votes. "Digital advertising in India has increased by 30% this year and around Rs 3402 crore is expected to be spent in 2014. Of this, social media spend is close to Rs 300 crore according to IMRB," says James Drake-Brockman, head of digital marketing division, DMG :: events.

For more details visit https://cis-india.org/news/economic-times-april-10-2014-varuni-khosla-lok-sabha-polls

Report of the Group of Experts on Privacy vs. The Leaked 2014 Privacy Bill

elonnai — 2014-04-14T06:10:20Z

Following our previous post comparing the leaked 2014 Privacy Bill with the leaked 2011 Privacy Bill, this post will compare the recommendations provided in the Report of the Group of Experts on Privacy by the Justice AP Shah Committee to the text of the leaked 2014 Privacy Bill. Below is an analysis of recommendations from the Report that are incorporated in the text of the Bill, and recommendations in the Report that are not incorporated in the text of the Bill.

Recommendations in the Report of the Group of Experts on Privacy that are Incorporated in the 2014 Privacy Bill

Constitutional Right to Privacy

The Report of the Group of Experts on Privacy recommends that any privacy legislation for India specify the constitutional basis of a right to privacy. The 2014 Privacy Bill has done this, locating the Right to Privacy in Article 21 of the Constitution of India.

Nine National Privacy Principles

The Report of the Group of Experts on Privacy recommends that nine National Privacy Principles be adopted and applied to harmonize existing legislation and practices. The 2014 Privacy Bill also adopts nine National Privacy Principles. Though these principles differ slightly from the National Privacy Principles recommended in the Report, they are broadly the same, and importantly will apply to all existing and evolving practices, regulations and legislations of the Government that have or will have an impact on the privacy of any individual. Presently, the 2014 Privacy Bill locates the nine National Privacy Principles in an Annex to the Bill, but also incorporates the principles in more detail in sections relating to personal data. An analysis of the principles as compared in the Report and the Bill is below:

Notice: The principle of notice as recommended by the Report of the Group of Experts on Privacy differs from the principle of notice in the 2014 Privacy Bill. According to the notice principle in the Report, a data controller shall give sample to understand notice of its information practices to all individuals, in clear and concise language, before any personal information is collected from them. Such notices should include: (during collection) What personal information is being collected; Purposes for which personal information is being collected; Uses of collected personal information; Whether or not personal information may be disclosed to third persons; Security safeguards established by the data controller in relation to the personal information; Processes available to data subjects to access and correct their own personal information; Contact details of the privacy officers and SRO ombudsmen for filing complaints. (Other Notices) Data breaches must be notified to affected individuals and the commissioner when applicable. Individuals must be notified of any legal access to their personal information after the purposes of the access have been met. Individuals must be notified of changes in the data controller’s privacy policy. Any other information deemed necessary by the appropriate authority in the interest of the privacy of data subjects.

In contrast, the 2014 Privacy Bill requires that all the data controllers provide adequate and appropriate notice of their information practices in a form that is easily understood by all intended recipients. In addition to this principle as listed in an annex, the Bill requires that on initial collection data controllers provide notice of what personal data is being collected and the legitimate purpose for which the personal data is being collected. If the purpose for which the personal data changes, data controllers must provide data subjects with a further notice that would include the use to which the personal data shall be put, whether or not the personal data will be disclosed to at third person and, if so, the identity of such person if the personal data being collected is intended to be transferred outside India and the reasons for doing so; how such transfer helps in achieving the legitimate purpose; and whether the country to which such data is transferred has suitable legislation to provide for adequate protection and privacy of the data; the security and safeguards established by the data controller in relation to the personal data; the processes available to a data subject to access and correct his personal data; the recourse open to a data subject, if he has any complaints in respect of collection or processing of the personal data and the procedure relating thereto; the name, address and contact particulars of the data controller and all persons who will be processing the personal data on behalf of the data controller. Additionally, if a breach of data takes place data controllers must inform the affected data subject that lost or stolen; accessed or acquired by any person not authorized to do so; damaged, deleted or destroyed; processed, re-identified or disclosed in an unauthorized manner.

Though the 2014 Privacy Bill requires a more comprehensive notice to be issued if the purpose for the use of personal data changes, it does not specify (as recommended by the Group of Experts on Privacy) that notice of changes to a data controller’s privacy policy be issued.

Choice and Consent: The principle of choice and consent in the 2014 Privacy Bill is similar to the principle in the Report of the Group of Experts on privacy in that it requires that all data subjects be provided with a choice to provide or not to provide personal data and that data subject will have the option of withdrawing consent at any time. Though not a part of the specific principle on ‘choice and consent’ listed in the annex the 2014 Privacy Bill also contains provisions that address mandatory collection of information which require, as recommended by the Report of the Group of Experts, that the information is anonymoized. Furthermore, the 2014 Privacy Bill provides individuals an opt-in or opt-out choice with respect to the provision of personal data.

Different from as recommended in the principle in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that in exception cases when it is not possible to provide a service with choice and consent, then choice and consent will not be required.

Collection Limitation: The principle of collection limitation as recommended in the Report of the Group of Experts on Privacy and the principle of collection limitation in the Annex of the 2014 Privacy Bill are similar in that both require that only data that is necessary to achieve an identified purpose be collected. As recommended in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill also requires that notice be provided prior to collection and content taken.

Purpose Limitation: Though the principle of Purpose Limitation are similar in the Report of the Group of Experts on Privacy and the 2014 Privacy Bill as they both require personal data to be used only for the purposes for which it was collected and that the data must be destroyed after the purposes have been served, the 2014 Privacy Bill does not specify that information collected by a data controller must be adequate and relevant for the purposes for which they are processed. The 2014 Privacy Bill also incorporates elements from the principle of Purpose Limitation as defined by the Report of the Group of Experts in other parts of the Bill. For example, the 2014 Bill requires that notice be provided to the individual if there is a change in purpose for the use of the personal information, and designates a section on retention of personal data.

Access and Correction: The principle of Access and Correction in the 2014 Privacy Bill reflects the principle of Access and Correction in the Report of the Group of Experts (though not verbatim). Importantly, the 2014 Privacy Bill incorporates the recommendation from the Report of the Group of Experts on Privacy that prohibits access to personal data if it will affect the privacy rights of another individual.

Disclosure of Information: The principle of ‘Disclosure of Information’ in the Privacy Bill 2014 is similar to the principle of ‘Disclosure of Information’ as recommended in the Report of the Group of Experts on Privacy (though not verbatim). As recommended this principle requires that personal data be disclosed to third parties only if informed consent has been taken from the individual and the third party is bound the adhere to all relevant and applicable privacy principles.

Security: The principle of security in the 2014 Privacy Bill reflects the principle of Security recommended in the Report of the Group of Experts on Privacy and requires that personal data be secured through reasonable security safeguards against unauthorized access, destruction, use, modification, de-anonymization or unauthorized disclosure.

Openness: The principle of Openness in the 2014 Privacy Protection Bill is similar to the principle of Openness recommended in the Report of the Group of Experts on Privacy in that it requires data controllers to make available to all individuals in an intelligible form, using clear and plain language, the practices, procedures, and policies, and systems that are in place to ensure compliance with the privacy principles. The principle in the 2014 Privacy Bill differs from the recommendation in the Report of the Group of Experts on Privacy in that it does not require data controllers to take necessary steps to implement practices, policies, and procedures in a manner proportional to the scale, scope, and sensitivity to the data they collect.

Accountability: The principle of Accountability in the 2014 Privacy Bill is similar to the principle of Accountability as recommended in the Report of the Group of Experts as both require that the data controller is accountable for compliance with the national Privacy Principles.

Application to interception and access, video and audio recording, personal identifiers, bodily and genetic material: The Privacy Bill 2014 incorporates the recommendations from the Report of the Group of Experts on Privacy and specifies the way in which the National Privacy Principles will apply to the interception and access of communications, video and audio recording, and personal identifiers. But the 2014 Privacy Bill does not specify the application of the National Privacy Principles to bodily and genetic material (though this information is included in the definition of sensitive personal information).

With respect to the installation and operation of video recording equipment in a public space, the 2014 Privacy Bill requires that video recording equipment may only be used in accordance with a prescribed procedure and for a legitimate purpose that is proportionate to the objective for which it was installed. Furthermore, individuals cannot use video recording equipment for the purpose of identifying an individual, monitoring his personal particulars, or revealing in public his personal information. The provisions in the Bill that speak to storage, processing, retention, security, and disclosure of personal data apply to the installation and use of video recording equipment. As a note the 2014 Privacy Bill carves out an exception for law enforcement and government intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India.

With respect to the application of the National Privacy Principles to the interception of communications, the 2014 Privacy Bill lays down a regime for the interception of communications and specifies that the principles of notice, choice, consent, access and correction, and openness will apply to the interception of communications when authorised.

With respect to Personal Identifiers, the 2014 Privacy Bill notes that the principles of notice, choice, and consent will not apply to the collection of personal identifiers by the government. Additionally, the government will not be obliged to use any personal identifier only for the limited purpose for which the personal identifier was collected, provided that the use is in conformance with the other National Privacy Principles.

Additional Protection for Sensitive Personal Data

The Report of the Group of Experts on Privacy broadly recommends that sensitive personal data be afforded additional protection and existing definitions of sensitive personal data should be harmonised. The 2014 Privacy Bill incorporates these recommendations by defining sensitive personal data as data relating to physical and mental health including medical history, biometric, bodily or genetic information; criminal convictions; password, banking credit and financial data; narco analysis or polygraph test data, sexual orientation. The 2014 Privacy Bill also requires authorization from the Data Protection Authority for the collection and processing of sensitive personal data and defines circumstances of when this authorization would not be required including: collection or processing of such data is authorized by any other law for the time being in force; such data has already been made public as a result of steps taken by the data subject; collection and processing of such data is made in connection with any legal proceedings by an order of the competent court; such data relating to physical or mental health or medical history of an individual is collected and processed by a medical professional, if such collection and processing is necessary for medical care and health of that individual; such data relating to biometrics, bodily or genetic material, physical or mental health, prior criminal convictions or financial credit history is processed by the employer of an individual for the purpose of and in connection with the employment of that individual; such data relating to physical or mental health or medical history is collected an processed by an insurance company, if such processing is necessary for the purpose of and in connection with the insurance policy of that individual; such data relating to criminal conviction, biometrics and genetic is processed and collected by law enforcement agencies; such data regarding credit, banking and financial details of an individual is processed by a specific user under the Credit Information Companies (Regulation) Act, 2005; such data is processed by schools or other education institutions in connection with imparting of education to an individual; such data is collected or processed by the government Intelligence agencies in the interest of the sovereignty, integrity, security or the strategic, scientific or economic interest of India, the authority has, by a general or specified order permitted the processing of such data for specific purpose and is limited to the extent of such permission. The 2014 Privacy Bill also prohibits additional transactions from being performed using sensitive personal information unless free consent was obtained for such transaction.

Privacy Officers

The Report of the Group of Experts on Privacy recommends that Privacy Officers be established at the organizational level for overseeing the processing of personal data and compliance with the Act. This recommendation has been incorporated in the 2014 Privacy Bill, which establishes Privacy Officers at the organizational level.

Co-regulatory Framework

The Report of the Group of Experts on Privacy recommends that a system of co-regulation be established, where industry levels self regulatory organizations develop privacy norms, which are in turn approved and enforced by the Privacy Commissioner. The 2014 Privacy Bill puts in place a similar co-regulatory framework where industry level self regulatory organizations can develop norms which will be turned into regulations and enforced by the Data Protection Authority. If a sector does not develop norms, the Data Protection Authority can develop norms for the specific sector.

Recommendations in the Report that are not in the Bill

Scope

The Report of the Group of Experts on Privacy recommends that the scope of any privacy framework extends to all individuals, all data processed in India, and all data originating from India. The 2014 Privacy Bill differs from these recommendations by extending the right to privacy to all residents of India, while remaining silent on whether or not the scope of the legislation extends to all data processed in India and all data originating in India. Despite this, the 2014 Bill does specify that any organization that processes or deals with data of an Indian resident, but does not have a place of business within India, must establish a ‘representative resident’ in India who will be responsible for compliance with the Act.

Exceptions

The Report of the Group of Experts recommends the following as exceptions to the right to privacy:

National security
Public order
Disclosure in the public interest
Prevention, detection, investigation, and prosecution of criminal offenses
Protection of the individual and rights and freedoms of others

The Report further clarifies that any exception must be qualified and measured against the principles of proportionality, legality, and necessary in a democratic state.

The Privacy Bill 2014 reflects only the exception of “protection of the individual rights and freedoms of others”. The exceptions as defined in the 2014 Bill are:

Sovereignty, integrity or security of India or
Strategic, scientific or economic interest of India; or
Preventing incitement to the commission of any offence; or
Prevention of public disorder; or
The investigation of any crime; or
Protection of rights and freedoms others; or
Friendly relations with foreign states; or
Any other legitimate purpose mentioned in this Act.

Instead of qualifying these exceptions with the principles of proportionality, legality, and necessary in a democratic state – as recommended in the Report of Group of Experts on Privacy, the 2014 Privacy Bill qualifies that any restriction must be adequate and not excessive to the objectives it aims to achieve.

Constitution of Infringement of Privacy

The Report of the Group of Experts on Privacy specifies that the publication of personal data for artistic and journalistic purposes in the public interest, disclosure under the Right to Information Act, 2005, and the use of personal data for household purposes should not constitute an infringement of privacy. In contrast the 2014 Privacy Bill specifies that the processing of personal data by an individual purely for his personal or household use, the disclosure of information under the provisions of the Right to information Act, 2005, and any other action specifically exempted under the Act will not constitute an infringement of privacy.

The Data Protection Authority

The Report of the Group of Experts on Privacy recommends the establishment of Privacy Commissioners (and places emphasis on Privacy Commissioner rather than Data Protection Authority) at the Central and Regional level. The Privacy Commissioner should be of a rank no lower than a retired Supreme Court Judge at the Central level and a retired High Court Judge at the regional level. The privacy commissioner should have the power to receive and investigate class action complaints and investigative powers of the commissioner should include the power to examine and call for documents, examine witnesses, and take a case to court if necessary. The Commissioner should be able to investigate data controllers on receiving complaints or suo moto, and can order privacy impact assessments. Organizations should not be able to appeal fines levied by the Privacy Commissioner, but individuals can appeal a decision of the Privacy Commissioner to the court. The Commissioner should also have broad oversight with respect to interception/access, audio & video recordings, use of personal identifiers, and the use of bodily or genetic material. The Privacy Commissioner will also have the responsibility of approving codes of conduct developed by the industry level SRO’s.

Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill establishes a Data Protection Authority (as opposed to a Privacy Commissioner) at the Central level. Instead of creating regional Data Protection Authorities, the 2014 Privacy Bill allows for the Central Government to decide where other offices of the Data Protection Authority will be located. Furthermore, the 2014 Privacy Bill does not specify a qualification for the Data Protection Authority and instead establishes a selection committee to choose and appoint a Data Protection Authority. This committee is comprised of a Cabinet Secretary, Secretary to the Department of Personnel and Training, Secretary to the Department of Electronics and Information Technology, and two experts of eminence from relevant fields that will be nominated by the Central Government.

The 2014 Privacy Bill does not specify that fines ordered by the Data Protection Authority will be binding for organizations, but does allow individuals to appeal decisions of the Data Protection Authority to the Appellate Tribunal. Differing from the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill gives the Data Protection Authority the power to call upon any data controller at any time to furnish in writing information or explanation relating to its affairs, and receive and investigate complaints about alleged violations of privacy of individuals in respect of matters covered under this Act, conduct investigations and issue appropriate orders or directions to the parties concerned. Furthermore, the 2014 Privacy Bill does not specify that the Data Protection Authority will carry out privacy impact assessments, but the Authority can conduct audits of any or all personal data controlled by a data controller, can investigate data breaches, investigate in complaint received, and adjudicate on a dispute arising between data controllers or data subjects and data controllers. Unlike the recommendations in the Report of the Group of Experts on Privacy, it does not seem that the Data Protection Authority will play an overseeing role with respect to interception, the use of video recording equipment, personal identifiers, and the use of bodily and genetic material.

Tribunal and System of Complaints

Differing from the recommendation in the Report of the Group of Experts on Privacy, which specified that a Tribunal should not be established as under the Information Technology Act as there is the risk that the institutions will not have the capacity to rule on a broad right to privacy, the 2014 Privacy Bill does establish a Tribunal under the Information Technology Act. The Report of the Group of Experts on Privacy also recommended that complaints be taken to the district level, high level, and Supreme Court – whereas the 2014 Privacy Bill allows individuals to appeal decisions from the Tribunal only to a High Court. Similar to the recommendations of the Report of the Group of Experts, the 2014 Privacy Bill has in place Alternative Dispute Resolution mechanisms at the level of the industry self regulatory organization. The 2014 Privacy Bill also specifies that individuals can seek civil remedies and leaves the issuance of compensation for privacy harm to be from a Court. Unlike the recommendations in the Report of the Group of Experts on Privacy, the 2014 Privacy Bill does not specify that the Data Protection Authority will be able to take a case to the court.

Penalties and Offenses

The Report of the Group of Experts on Privacy did not provide specific recommendations for types of offences and penalties, but did suggest that offenses similar to those spelled out in the UK Data Protection Act and Australian Privacy Act be adopted – namely non-compliance with the privacy principles, unlawful collection, processing, sharing/disclosure, access, and use of personal data, and obstruction of the privacy commissioner. The 2014 Privacy Bill does create offenses for the unlawful collection, processing, sharing/disclosure, access, and use of personal data, but does not create offenses for obstruction of the privacy commissioner or broad non-compliance with the privacy principles.

Conclusion

The Centre for Internet and Society welcomes the similarities between the recommendations in the Report of the Group of Experts on Privacy and the leaked 2014 Privacy Bill, but would recommend that on areas where there are differences, particularly in the scope of the Privacy Bill and the powers and functions of the Data Protection Authority, the 2014 Bill be brought in line with the recommendations from the Report of the Group of Experts on Privacy.

In the upcoming post, we will be comparing the text of the leaked 2014 Privacy Bill to international best practices and standards.

References

For more details visit https://cis-india.org/internet-governance/blog/report-of-group-of-experts-on-privacy-vs-leaked-2014-privacy-bill

Net Neutrality, Free Speech and the Indian Constitution - I

gautam — 2014-04-29T08:03:57Z

In this post, I will explore net neutrality in the context of Indian law and the Indian Constitution.

Let us take, for the purposes of this post, the following definition:

“The idea that all Internet traffic should be treated equally is known as network neutrality. In other words, no matter who uploads or downloads data, or what kind of data is involved, networks should treat all of those packets in the same manner.”

In other words, put simply, net neutrality in its broadest form requires the extant gatekeepers of the internet – such as, for instance, broadband companies – to accord a form of equal and non-discriminatory treatment to all those who want to access the internet. Examples of possible discrimination – as the quote above illustrates – include, for instance, blocking content or providing differential internet speed (perhaps on the basis of a tiered system of payment for access).

Net neutrality has its proponents and opponents, and I do not have space here to address that dispute. In its broadest and absolutist form, net neutrality is highly controversial (including arguments that existing status quo is not neutral in any genuine sense). I take as given, however, that some form of net neutrality is both an important and a desirable goal. In particular, intentional manipulation of information that is available to internet users – especially for political purposes – is, I assume, an undesirable outcome, as are anti-competitive practices, as well as price-discrimination for the most basic access to the internet (this brief article in the Times of India provides a decent, basic primer on the stakes involved).

An example of net neutrality in practice is the American Federal Communications Commission’s Open Internet Order of 2010, which was the subject of litigation in the recently concluded Verizon v. FCC. The Open Internet order imposed obligations of transparency, no blocking, and no unreasonable discrimination, upon internet service providers. The second and third requirements were vacated by a United States Court of Appeals. The rationale for the Court’s decision was that ISPs could not be equated, in law, to “common carriers”. A common carrier is an entity that offers to transport persons and/or goods in exchange for a fee (for example, shipping companies, or bus companies). A common carrier is licensed to be one, and often, one of the conditions for license is an obligation not to discriminate. That is, the common carrier cannot refuse to carry an individual who is willing and able to pay the requisite fees, in the absence of a compelling reason (for example, if the individual wishes the carrier to transport contraband). Proponents of net neutrality have long called for treating ISPs as common carriers, a proposition – as observed above – was rejected by the Court.

With this background, let us turn to India. In India, internet service providers are both state-owned (BSNL and MTNL), and privately-owned (Airtel, Spectranet, Reliance, Sify etc). Unlike many other countries, however, India has no network-neutrality laws. As this informative article observes:

“The Telecom Regulatory Authority of India (TRAI), in its guidelines for issuing licences for providing Unified Access Service, promotes the principle of non-discrimination but does not enforce it… the Information Technology Act does not provide regulatory provisions relating to Internet access, and does not expressly prohibit an ISP from controlling the Internet to suit their business interests.”

In the absence of either legislation or regulation, there are two options. One, of course, is to invoke the rule of common carriers as a common law rule in court, should an ISP violate the principles of net neutrality. In this post (and the next), however, I would like to analyze net neutrality within a constitutional framework – in particular, within the framework of the constitutional guarantee of freedom of speech and expression.

In order to do so, two questions become important, and I shall address them in turn. First, given that most of the ISPs are privately owned, how does the Constitution even come into the picture? Our fundamental rights are enforceable vertically, that is, between individuals and the State, and not horizontally – that is, between two individuals, or two private parties. Where the Constitution intends to depart from this principle (for instance, Article 15(2)), it specifically and expressly states so. As far as Article 19 and the fundamental freedoms are concerned, however, it is clear that they do not admit of horizontal application.

Yet what, precisely, are we to understand by the term “State”? Consider Article 12:

“In this part, unless the context otherwise requires, the State includes the Government and Parliament of India and the Government and the Legislature of each of the States and all local or other authorities within the territory of India or under the control of the Government of India.”

The key question is what, precisely, falls within the meaning of “other authorities”. The paradigmatic example – and this is something Ambedkar had in mind, as is evidenced by the Constituent Assembly Debates – is the statutory corporation – i.e., a company established under a statute. There are, however, more difficult cases, for instance, public-private partnerships of varying types. For the last fifty years, the Supreme Court has struggled with the issue of defining “other authorities” for the purposes of Part III of the Constitution, with the pendulum swinging wildly at times. In the case of Pradeep Kumar Biswas v. Indian Institute of Chemical Biology, a 2002 judgment by a Constitution bench, the Court settled upon the following definition:

“The question in each case would be whether in the light of the cumulative facts as established, the body is financially, functionally and administratively dominated by or under the control of the Government. Such control must be particular to the body in question and must be pervasive. If this is found then the body is a State within Article 12. On the other hand, when the control is merely regulatory whether under statute or otherwise, it would not serve to make the body a State.”

Very obviously, this dooms the ISP argument. There is no way to argue that ISPs are under the pervasive financial, functional and administrative domination or control of the State. If we step back for a moment, though, the Pradeep Kumar Biswas test seems to be radically under-inclusive. Consider the following hypothetical: tomorrow, the government decides to privatize the nation’s water supply to private company X. Company X is the sole distributor of water in the country. On gaining control, it decides to cut off the water supply to all households populated by members of a certain religion. There seems something deeply wrong in the argument that there is no remedy under discrimination law against the conduct of the company.

The argument could take two forms. One could argue that there is a certain minimum baseline of State functions (ensuring reasonable access to public utilities, overall maintenance of communications, defence and so on). The baseline may vary depending on your personal political philosophy (education? Health? Infrastructure?), but within the baseline, as established, if a private entity performs a State function, it is assimilated to the State. One could also argue, however, that even if Part III isn’t directly applicable, certain functions are of a public nature, and attract public law obligations that are identical in content to fundamental rights obligations under Part III, although their source is not Part III.

To unpack this idea, consider Justice Mohan’s concurring opinion in Unnikrishnan v. State of Andhra Pradesh, a case that involved the constitutionality of high capitation fees charged by private educational institutions. One of the arguments raised against the educational institutions turned upon the applicability of Article 14’s guarantee of equality. The bench avoided the issue of whether Article 14 directly applied to private educational institutions by framing the issue as a question of the constitutionality of the legislation that regulated capitation fees. Justice Mohan, however, observed:

“What is the nature of functions discharged by these institutions? They discharge a public duty. If a student desires to acquire a degree, for example, in medicine, he will have to route through a medical college. These medical colleges are the instruments to attain the qualification. If, therefore, what is discharged by the educational institution, is a public duty that requires… [it to] act fairly. In such a case, it will be subject to Article 14.”

In light of Pradeep Kumar Biswas, it is obviously difficult to hold the direct application of the Constitution to private entities. We can take Justice Mohan, however, to be making a slightly different point: performing what are quintessentially public duties attract certain obligations that circumscribe the otherwise free action of private entities. The nature of the obligation itself depends upon the nature of the public act. Education, it would seem, is an activity that is characterized by open and non-discriminatory access. Consequently, even private educational institutions are required to abide by the norms of fairness articulated by Article 14, even though they may not, as a matter of constitutional law, be held in violation of the Article 14 that is found in the constitutional text. Again, the content of the obligation is the same, but its source (the constitutional text, as opposed to norms of public law) is different.

We have therefore established that in certain cases, it is possible to subject private entities performing public functions to constitutional norms without bringing them under Article 12’s definition of the State, and without the need for an enacted statute, or a set of regulations. In the next post, we shall explore in greater detail what this means, and how it might be relevant to ISPs and net neutrality.

Gautam Bhatia — @gautambhatia88 on Twitter — is a graduate of the National Law School of India University (2011), and presently an LLM student at the Yale Law School. He blogs about the Indian Constitution at http://indconlawphil.wordpress.com. Here at CIS, he will be blogging on issues of online freedom of speech and expression.

For more details visit https://cis-india.org/internet-governance/blog/net-neutrality-free-speech-and-the-indian-constitution-part-1